Hugo博客公告弹窗

haproxy调优记录

一键脚本:

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/ophaproxy.sh && chmod +x ophaproxy.sh && ./ophaproxy.sh

验证

ulimit -n

haproxy脚本

curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/bt-cf/haproxy/setup_haproxy.sh && chmod +x setup_haproxy.sh && ./setup_haproxy.sh

验证

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

可以根据服务器核心数设置nbthread 1参数,例如4核心,则是nbthread 4

检查 HAProxy 服务状态:

systemctl status haproxy

重启

systemctl restart haproxy

ssh连接优化

# 配置 PAM
if grep -q "^UsePAM" /etc/ssh/sshd_config; then
    sed -i 's/^UsePAM.*/UsePAM yes/' /etc/ssh/sshd_config
else
    echo "UsePAM yes" >> /etc/ssh/sshd_config
fi

# 禁用 X11 转发
if grep -q "^X11Forwarding" /etc/ssh/sshd_config; then
    sed -i 's/^X11Forwarding.*/X11Forwarding no/' /etc/ssh/sshd_config
else
    echo "X11Forwarding no" >> /etc/ssh/sshd_config
fi

# 禁用 DNS 查询
if grep -q "^UseDNS" /etc/ssh/sshd_config; then
    sed -i 's/^UseDNS.*/UseDNS no/' /etc/ssh/sshd_config
else
    echo "UseDNS no" >> /etc/ssh/sshd_config
fi

# 检查配置
sshd -t && systemctl restart sshd

以下是手动设置

系统调优

swap调整,根据情况调整vm.swappiness数值

# 1. 备份 sysctl.conf
cp /etc/sysctl.conf /etc/sysctl.conf.bak

# 2. 查找并显示所有包含 vm.swappiness 的文件
find /etc/sysctl.d/ /etc/sysctl.conf -type f -exec grep -l "vm.swappiness" {} \;

# 3. 从所有相关文件中删除 vm.swappiness 设置
sudo sed -i '/^vm.swappiness/d' /etc/sysctl.conf
sudo find /etc/sysctl.d/ -type f -name "*.conf" -exec sed -i '/^vm.swappiness/d' {} \;

# 4. 添加新的配置
echo "vm.swappiness = 1" | sudo tee /etc/sysctl.d/99-swap.conf

# 5. 重新加载所有配置
sudo sysctl --system

验证

sysctl vm.swappiness

查询swap使用情况

swapon --show

vm.dirty_ratio和vm.dirty_background_ratio调整

验证默认值

sysctl vm.dirty_ratio
sysctl vm.dirty_background_ratio

查询所有脏页相关参数

sysctl -a | grep dirty

修改默认值

# 备份原配置
cp /etc/sysctl.conf /etc/sysctl.conf.bak

# 删除原配置文件中的相关参数
sed -i '/^vm.dirty_ratio/d' /etc/sysctl.conf
sed -i '/^vm.dirty_background_ratio/d' /etc/sysctl.conf

# 删除可能存在的旧dirty配置文件
rm -f /etc/sysctl.d/*dirty*.conf

# 注释掉kernel.conf中的相关配置(如果存在)
if [ -f /etc/sysctl.d/*kernel*.conf ]; then
    sed -i '/^vm.dirty_ratio/s/^/#/' /etc/sysctl.d/*kernel*.conf
    sed -i '/^vm.dirty_background_ratio/s/^/#/' /etc/sysctl.d/*kernel*.conf
fi

# 创建新的配置文件
cat << EOF | sudo tee /etc/sysctl.d/99-dirty-ratio.conf
# 内存脏页参数优化
vm.dirty_ratio = 15
vm.dirty_background_ratio = 5
EOF

# 应用新配置
sudo sysctl --system

# 验证配置
sysctl vm.dirty_ratio
sysctl vm.dirty_background_ratio

参数调优

cat > /etc/sysctl.conf << 'EOF'
# 文件描述符限制
fs.file-max = 6815744

# TCP 基础优化参数
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_ecn = 0
net.ipv4.tcp_frto = 0
net.ipv4.tcp_mtu_probing = 0
net.ipv4.tcp_rfc1337 = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_adv_win_scale = 1
net.ipv4.tcp_moderate_rcvbuf = 1

# 网络缓冲区优化
net.core.rmem_max = 33554432
net.core.wmem_max = 33554432
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 16384 33554432
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192

# 网络转发设置
net.ipv4.ip_forward = 1
net.ipv4.conf.all.route_localnet = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

# TCP keepalive 参数
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3

# BBR 拥塞控制
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# 连接队列优化
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535

# TIME_WAIT 优化
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30

# TCP 性能优化
net.ipv4.tcp_slow_start_after_idle = 0
EOF

sysctl -p && sysctl --system

或者

sudo cat > /etc/sysctl.conf << 'EOF'
# --------------------------
# 文件描述符与进程限制
# --------------------------
fs.file-max = 6815744

# --------------------------
# TCP 基础优化参数
# --------------------------
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_ecn = 0
net.ipv4.tcp_frto = 1                # 启用 F-RTO 优化
net.ipv4.tcp_mtu_probing = 1         # 启用 MTU 探测
net.ipv4.tcp_rfc1337 = 1             # 安全处理 TIME-WAIT
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_adv_win_scale = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_slow_start_after_idle = 0

# --------------------------
# 网络缓冲区优化
# --------------------------
net.core.rmem_max = 33554432
net.core.wmem_max = 33554432
net.core.rmem_default = 87380        # 默认接收缓冲区
net.core.wmem_default = 87380        # 默认发送缓冲区
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 87380 33554432  # 对齐接收缓冲区中间值
net.ipv4.udp_rmem_min = 16384        # 增大 UDP 最小缓冲区
net.ipv4.udp_wmem_min = 16384

# --------------------------
# 连接队列与超时控制
# --------------------------
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_syn_retries = 2         # 减少 SYN 重试次数
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_tw_buckets = 65536  # 限制 TIME-WAIT 数量
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1

# --------------------------
# 内存与拥塞控制
# --------------------------
net.core.netdev_max_backlog = 262144  # 网络设备队列长度
net.ipv4.tcp_mem = 786432 1048576 1572864  # 全局 TCP 内存限制
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# --------------------------
# Keepalive 与安全
# --------------------------
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.conf.all.rp_filter = 1       # 启用反向路径过滤
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.route_localnet = 0  # 关闭危险的路由选项

# --------------------------
# 网络转发与 IPv6
# --------------------------
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

# --------------------------
# 高级加速选项
# --------------------------
net.ipv4.tcp_fastopen = 3            # 启用 TCP Fast Open
EOF

sudo sysctl -p /etc/sysctl.conf

修改 systemd 限制

mkdir -p /etc/systemd/system/haproxy.service.d/ && echo -e "[Service]\nLimitNOFILE=200000" > /etc/systemd/system/haproxy.service.d/limits.conf && systemctl daemon-reload

添加 HAProxy 限制到 limits.conf

cat > /etc/security/limits.conf << 'EOF'
* soft nofile 200000
* hard nofile 200000
root soft nofile 200000
root hard nofile 200000
haproxy soft nofile 200000
haproxy hard nofile 200000
EOF

修改 profile:

echo "ulimit -n 200000" >> /etc/profile

确保 sshd_config 中启用 PAM:

sed -i 's/#UsePAM yes/UsePAM yes/' /etc/ssh/sshd_config

应用更改

# 重启 sshd 服务
systemctl restart sshd

# 使 profile 更改生效
source /etc/profile

# 验证设置
ulimit -n

重启

# 重新加载 systemd 配置
systemctl daemon-reload

# 重启 HAProxy 服务
systemctl restart haproxy

查询

ulimit -n

检测配置文件是否有效

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

重启

sudo systemctl restart haproxy

检查 HAProxy 服务状态:

systemctl status haproxy

获取 HAProxy 主进程 PID

pidof haproxy

检查主进程(root)的限制

cat /proc/45924/limits | grep "open files"

检查工作进程(haproxy)的限制

cat /proc/45926/limits | grep "open files"

查看当前信息, 安装socat:

apt-get update
apt-get install socat

查询

echo "show info" | socat unix-connect:/run/haproxy/admin.sock stdio

CurrConns 当前连接数

MaxConnRate 最大连接速率/每秒

CumConns 累计连接数

CC BY-NC-SA 4.0 转载请注明
最后更新于 2025-03-27 03:42
clarity统计